magnify
Home Posts tagged "Privacy"

ECtHR Judgment in Big Brother Watch v. UK

Published on September 17, 2018        Author: 

Last week the European Court of Human Rights issued a highly anticipated blockbuster Chamber judgment in Big Brother Watch v. UK, nos. 58170/13, 62322/14, 24960/15.

This is the first mass electronic surveillance case to be decided against the UK after the Edward Snowden revelations, and it touches upon numerous issues. The judgment is nuanced, complex, and long. It addresses key questions such as the proportionality of bulk interception programmes much more directly and with greater sophistication than the recent judgment in Centrum för Rättvisa v. Sweden no. 35252/08, which was decided by a different Chamber while this case was being deliberated, and which also upheld a bulk surveillance programme (see here for Asaf Lubin’s take on Just Security).

The judgment is too rich to summarize easily, so I will only set out some key takeaways (for an extensive discussion on surveillance and privacy in the digital age, see my 2015 Harvard ILJ piece).

First, and most importantly, the judgment is a mixed bag for privacy activists: while the Court finds that the UK’s surveillance programme under the now-defunct Regulation of Investigatory Powers Act (RIPA) was deficient in important respects and in violation of Article 8 and 10 of the Convention, it at the same time normalizes such mass surveillance programmes. In particular, the Court decided that bulk interception programmes are not categorically disproportionate, as privacy activists have argued. Second, in a similar vein, the Court finds that prior judicial authorization is not indispensable for the legality of bulk interception, again contrary to what privacy activists have argued, even if prior judicial authorization could be seen as best practice (note that under the new 2016 Investigatory Powers Act the UK has moved to a double-authorization system which involves both a minister and an independent quasi-judicial commissioner).

Here are the key paragraphs (warning – extracts from the judgment make this a lengthy post):

Read the rest of this entry…

 

ECHR Jurisdiction and Mass Surveillance: Scrutinising the UK Investigatory Power Tribunal’s Recent Ruling

Published on June 9, 2016        Author: 

Last week, as discussed in a post by Marko Milanovic, the UK Investigatory Powers Tribunal (IPT) ruled that it lacked jurisdiction under the European Convention of Human Rights (ECHR) to adjudicate Article 8 and 10 claims brought by persons “situated outside” of the UK (para. 60). The IPT is a specialised judicial body that hears complaints about surveillance by public bodies, including British security and intelligence agencies. IPT decisions are not subject to direct appeal in the UK. We are therefore likely to see this ruling quickly challenged before the European Court of Human Rights (ECtHR).

Background

The backdrop to this litigation is convoluted. I sketch out the context in this post as I believe it will enrich discussion of the jurisdictional issues which are at the heart of this dispute. In 2013, following the Snowden disclosures, Privacy International, together with nine other NGOs, filed a case before the IPT challenging two aspects of the UK’s surveillance regime. First, the claimants challenged UK access to the communications of persons located within the UK collected by the US National Security Agency (NSA) under PRISM and Upstream. Under PRISM, the NSA collected data from US companies including Yahoo and Google. Under Upstream, the NSA intercepted data in bulk from hundreds of undersea fibre optic cables. Second, the claimants challenged Tempora, the British counterpart to Upstream, under which the Government Communications Headquarters (GCHQ) intercepted data in bulk from over 200 cables landing in the UK.

In February 2015, the IPT found that US-UK intelligence sharing – pursuant to PRISM and Upstream – was unlawful prior to 5 December 2014 because the legal framework governing it was hidden from the public (according to the IPT, that framework was sufficiently disclosed over the course of the proceedings so as to render the sharing of intelligence legal from that point forward). Read the rest of this entry…

 

UK Investigatory Powers Tribunal Rules that Non-UK Residents Have No Right to Privacy under the ECHR

Published on May 18, 2016        Author: 

In another major development on the surveillance/privacy front, on Tuesday the UK specialized surveillance court, the Investigatory Powers Tribunal, ruled that persons not present within the United Kingdom are not within the jurisdiction of the UK in the sense of Article 1 of the European Convention on Human Rights, and accordingly do not have any of the rights under that Convention (para. 49 et seq). In other words, a person in say France or the United States subjected to surveillance by GCHQ does not have an ECHR right to privacy vis-a-vis the UK, which accordingly has no Convention claim to answer. This is I think the first time that a British court has expressly dealt with extraterritoriality in the surveillance context. The IPT’s reasoning essentially rests on a Bankovic analogy – if you are in say Serbia and the UK drops a bomb on you, the Strasbourg Court has said that you don’t have the right to life. How could you then have the right to privacy if all the UK did was to simply read your email while you were in Serbia?

I have extensively argued elsewhere why that analogy is wrong (as is Bankovic itself), so I won’t belabour that point further (see here and here). It was entirely predictable that the IPT would adopt this restrictive position, which is perfectly plausible under Strasbourg case law (even if fundamentally mistaken). The IPT was correct in ruling, however, that distinctions as to the Convention’s applicability can’t really be made on the basis of whether the person is present is some other Council of Europe state, or is outside the ECHR’s espace juridique altogether. Anyway, the issue of the Convention’s extraterritorial applicability to mass electronic surveillance abroad is one for Strasbourg to decide and (hopefully) fix, and it will have the opportunity to do so in these cases and others. What the Court will do is of course anyone’s guess, because its decision will inevitable have ripple effects on other scenarios, such as extraterritorial uses of lethal force, e.g. drone strikes.

I have also argued, however, that there is particular scenario in which the applicability of the Convention becomes more attractive (or less dangerous as a matter of policy) – when the surveillance actually takes place within the surveilling state’s territory, even if the affected individual is outside it. Imagine, for example, if the UK police searched my flat in Nottingham while I was visiting family in Serbia – surely I would have Article 8 rights, even though I would not be on UK territory when the search took place. Why then should I not have these rights if an email I send while I am in Serbia is routed through my university server in Nottingham and intercepted by GCHQ there? In both cases the intrusion into privacy happens on the UK’s territory, even if I am outside it. In fact, in its judgment the IPT briefly addresses this scenario, if all too briefly and less than convincingly, although I’m not sure that the point was extensively argued.

In any case, the main paragraphs on the jurisdiction issue are below the fold. The judgment also deals with the very important question of standing/victim status, finding that all but six of the 600+ claimants lacked locus standi even under a very low threshold of showing that they are ‘potentially at risk’ from surveillance measures (applying the European Court’s recent Zakharov judgment, para. 171).

Read the rest of this entry…

 

Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR

Published on May 17, 2016        Author: 

Following the Snowden revelations in 2013 concerning the complicity of the tech industry in widespread electronic government surveillance in the U.S., tech companies have individually and collectively become increasingly active as advocates of privacy and free speech rights, culminating in legal challenges to government electronic surveillance.

Since the dropping by the U.S. Department of Justice (DOJ) of its much publicised writ against Apple, which sought to compel Apple to hack the security key code system of the Apple iPhone 5, the battle between tech companies and the DOJ over privacy and encryption in the U.S. has taken another turn.  In April, Microsoft filed a suit in the District Court of Seattle against the DOJ challenging the ‘secrecy order’ provisions (a range of anti-tipping off and gagging powers) under the Electronic Communications Privacy Act (ECPA).

With the Investigatory Powers Bill (IPB), which contains similar secrecy requirements, currently being debated before the U.K. Parliament, the U.S. case provides fair warning of possible human rights challenges tech companies may bring against the U.K. government. This post will consider the implications of the Bill’s secrecy provisions in light of the rights of tech companies under the European Convention on Human Rights (ECHR).

The Microsoft – DOJ claim                                                 

In short, the ECPA allows a U.S. government agency to apply to the Court for a warrant requiring Microsoft, or any other internet company, to hand over their customers’ private data. In addition, an order can be made by the court preventing the company from publicising the fact that they have been required to disclose the data. Read the rest of this entry…

 
Comments Off on Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR